debugging/troubleshooting IPSec one-way traffic tunnel

Similar Questions

• LAN - to - LAN 837 to 3000series one-way traffic

  Hello

  Not even sure that there is even a way traffic. The 837 is encryting and the 3000series is done by increments Rx but nowhere on decrypt it and Tx respectively.

  Tracking guides and hub configuration cisco IOS religiously.

  The 837 ipsec cypto debugs seems to show that SAS created - when they actually decide to show them selves on the console.

  Routing is not a problem - unless you consider static routes on the 3000. Am I supposed to create a static route to send traffic to the LAN remote (837) on the public interface? Or is it not necessary to have an itinerary as SA definition will determine the tunnel to go down?

  Unfortunately no other LAN-to-LAN tnnnels on 3000 to compare these questions and I have no laboratory.

  Any help would be welcome. Of course, I can provide more information, all that is necessary. Am at my wits end with this one. So simple and yet not working - have to do something stupid.

  Thank you

  If the tunnel is under construction and your getting the traffic in one direction and not the other, it is usually the routing.

  The 831 sends traffic to the 3000 and 3000 is received, ranging from your counters. The problem is probably that the hosts behind the 3000 do not know how to return to the LAN behind the 831. Your internal network behind the 3000 will need a route to the LAN 831 that points to the interface of the 3000. The 3000 justs needs a default gateway pointing out the public interface.

  On the local network of 3000, if you have not all router internal and your interior hosts are directly connected to the same hub/switch interface private 3000, then each host will need a static route to the LAN 831 that points to the private interface 3000 (this is assuming of course that the 3000 is not the default gateway for hosts (, which is usually not).

  Keep in mind that if you see not all TX packets on the 3000, then the 3000 is not even see packets of it is inside the hosts which are intended for the 831 LAN, check the local routing behind the 3000 to see what is happening.

• VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network

  Hello

  I'm a little confused as to which is the problem. This is the premise for the problem I have face.

  One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.

  Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)

  So essentially the encryption field is configured as follows:

  access-list line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
  access-list line 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
  access-list line 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173)

  Free NAT has been configured as follows (names modified interfaces):

  NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP

  the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202

  NAT (interface2) 0-list of access VPN-SHEEP

  VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252

  After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.

  There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)

  The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.

  Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).

  This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  MAC access list

  Phase: 2
  Type: FLOW-SEARCH
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Not found no corresponding stream, creating a new stream

  Phase: 3
  Type:-ROUTE SEARCH
  Subtype: entry
  Result: ALLOW
  Config:
  Additional information:
  in 10.82.0.200 255.255.255.252 outside

  Phase: 4
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group interface interface1
  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  Additional information:

  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 6
  Type: INSPECT
  Subtype: np - inspect
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  Policy-map global_policy
  class inspection_default
  inspect the http
  global service-policy global_policy
  Additional information:

  Phase: 7
  Type: FOVER
  Subtype: Eve-updated
  Result: ALLOW
  Config:
  Additional information:

  Phase: 8
  Type: NAT-FREE
  Subtype:
  Result: ALLOW
  Config:
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
  Exempt from NAT
  translate_hits = 32, untranslate_hits = 35251
  Additional information:

  -Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.

  Phase: 9
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
  NAT-control
  is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
  static translation at 10.231.0.0
  translate_hits = 153954, untranslate_hits = 88
  Additional information:

  -Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet

  Phase: 10
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (interface1) 5 10.231.191.0 255.255.255.0
  NAT-control
  is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
  dynamic translation of hen 5 (y.y.y.y)
  translate_hits = 3048900, untranslate_hits = 77195
  Additional information:

  Phase: 11
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:

  Phase: 12
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional information:

  Phase: 13
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:

  Phase: 14
  Type: CREATING STREAMS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  New workflow created with the 1047981896 id, package sent to the next module

  Result:
  input interface: interface1
  entry status: to the top
  entry-line-status: to the top
  output interface: outside
  the status of the output: to the top
  output-line-status: to the top
  Action: allow

  So, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?

  And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.

  access-list extended allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
  local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
  current_peer: y.y.y.y

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.

  Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)

  If there is any essential information that I can give, please ask.

  -Jouni

  Jouni,

  8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).

  If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)

  Marcin

• VPN site to Site one-way traffic

  Hi all

  I set up a Vpn site-to site and everything works well in the remote site to the corporate site, but since the site of the company asa 5510, I can't access to the remote site asa 5505.  I checked the logging on the SAA and I can see the packets being fallen but I can't find what I need to do to allow this traffic through.  Here are most of my 5510 config, I'm sure it's something simple I'm missing, but I can't run it please help.

  REMOTE network is 192.168.72.0

  : Saved

  : Written by enable_15 at 10:29:17.163 GMT/BDT Thu Jun 10 2010

  !

  ASA Version 8.0 (5)

  !

  host name Casa

  uk domain name

  activate the encrypted password of VgZT0UwPdkSV9l7N

  zlo5ImUVRkHl4lcl encrypted passwd

  names of

  name 192.168.103.14 description of Appliance CITRIX CITRIX Appliance

  name 192.168.3.12 description villages villages

  DNS-guard

  !

  interface Ethernet0/0

  nameif outside

  security-level 0

  IP address x.x.x.123 255.255.255.224

  !

  interface Ethernet0/1

  nameif inside

  security-level 100

  192.168.3.254 IP address 255.255.255.0

  !

  interface Ethernet0/2

  nameif dmz

  security-level 50

  IP 192.168.103.254 255.255.255.0

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  nameif management

  security-level 100

  IP 192.168.1.1 255.255.255.0

  management only

  !

  boot system Disk0: / asa805 - k8.bin

  boot system Disk0: / asa707 - k8.bin

  passive FTP mode

  clock timezone GMT/UTC 0

  summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

  DNS server-group DefaultDNS

  uk domain name

  object-group network ExternalAccess

  Description hosts allowed direct web access

  network object-SVR-01 255.255.255.255

  SVR GIS 255.255.255.255 network-object

  host of network-object cient

  host villages network-object

  the ExternalAccessFromDMZ object-group network

  Description hosts allowed direct web access to DMZ

  CITRIX-device 255.255.255.255 network-object

  network-object IRONPORT1 255.255.255.255

  worker of the object-network 255.255.255.255

  MitelUDPinternet udp service object-group

  Description Mitel UDP services on the internet

  20000-27000 object-port Beach

  port-object eq sip

  port-object eq 5064

  MitelTCPinternet tcp service object-group

  Description Mitel TCP services on the internet

  port-object eq 2114

  port-object eq 2116

  port-object eq 35000

  port-object eq 37000

  port-object eq 3998

  6801-6802 object-port Beach

  port-object eq 6880

  port-object eq www

  EQ object of the https port

  port-object eq 6800

  EQ object Port 3478

  port-object eq sip

  EQ port ssh object

  MitelTCPinternetOpt tcp service object-group

  Description Mitel TCP optional services on the internet

  port-object eq 3300

  6806-6807 object-port Beach

  36005 36005 object-port Beach

  36005 36006 object-port Beach

  EQ object Port 3478

  port-object eq sip

  MitelUDP2LAN udp service object-group

  Description Mitel UDP for the local network of services

  object-port range 1024-65535

  port-object eq sip

  MitelTCP2LAN tcp service object-group

  Description Mitel TCP for the local network of services

  port-object eq 2114

  port-object eq 2116

  port-object eq 35000

  port-object eq 37000

  port-object eq 1606

  object-port 4443 eq

  port-object eq 3998

  port-object eq 3999

  6801-6802 object-port Beach

  port-object eq 6880

  port-object eq www

  EQ object of the https port

  EQ object Port 3478

  port-object eq sip

  acl_outside list extended access permit icmp any any echo response

  acl_outside list extended access allow all unreachable icmp

  acl_outside list extended access permit icmp any any source-quench

  acl_outside list extended access permit tcp any host Mail_Outside_AGH eq smtp

  acl_outside list extended access permit tcp any host Mail_Outside_AGH eq https

  acl_outside list extended access permit tcp any host x.x.x.123 eq ssh

  acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

  acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8088

  acl_outside list extended access permit tcp any host Citrix_Portal_outside eq https

  acl_outside list extended access permit tcp any host Citrix_Portal_outside eq 8081

  acl_outside list extended access permit tcp any host Mail_Outside_AVON eq smtp

  acl_outside list extended access permit tcp any host Mail_Outside_AVON eq https

  acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

  acl_outside list extended access permit udp host x.x.x.x host Icritical_Outside eq snmp

  acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternet object-group

  acl_outside list extended access permit udp any host teleworker_outside MitelUDPinternet object-group

  acl_outside list extended access permit tcp any host teleworker_outside MitelTCPinternetOpt object-group

  acl_outside list extended access permit tcp host x.x.x.x host Icritical_Outside eq ssh

  acl_outside list extended access permit udp any host ESX-PAL-01 eq ntp

  acl_outside list extended access permit udp any host ESX-PAL-02 eq ntp

  acl_outside list extended access permit udp any host ESX-PAL-03 eq ntp

  inside_outbound_nat0_acl to access ip 192.168.1.0 scope list allow 255.255.255.0 172.30.100.0 inactive 255.255.255.224

  inside_outbound_nat0_acl list of allowed ip extended access all 172.31.1.0 255.255.255.0

  inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.103.0 255.255.255.0

  inside_outbound_nat0_acl to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

  inside_pnat_outbound list extended access allowed object-group ip ExternalAccess everything

  acl_dmz list extended access permit ip host host IRONPORT1 Mail_Inside_AGH

  acl_dmz list extended access permit udp host field of pal-svr-22 eq IRONPORT1 host

  acl_dmz list extended access permit tcp host IRONPORT1 host pal-svr-22 eq 3268

  acl_dmz list extended access permit udp host host IRONPORT1 ARM-SVR-01 eq field

  acl_dmz list extended access permit tcp host IRONPORT1 host ARM-SVR-01 eq 3268

  acl_dmz list extended access permit udp host host IRONPORT1 Pal-Svr-17 eq field

  acl_dmz list extended access allowed icmp host host IRONPORT1 Mail_Inside_AGH

  access extensive list ip 192.168.103.0 acl_dmz allow 255.255.255.0 any

  acl_dmz list extended access permit tcp host host CITRIX-device-CITRIXCSG-lan eq https inactive

  acl_dmz list extended access permit ip any host CITRIXCSG-lan idle

  acl_dmz list extended access permit tcp host IRONPORT1 eq Mail_Outside_AGH smtp

  acl_dmz list extended access permit tcp host teleworker host 192.168.20.1 object-group MitelTCP2LAN

  acl_dmz list extended access permit udp host teleworker host 192.168.20.1 object-group MitelUDP2LAN

  dmz_pnat_outbound list extended access allowed object-group ip ExternalAccessFromDMZ all

  access extensive list ip 192.168.103.0 dmz_nat0_inbound allow 255.255.255.0 192.168.3.0 255.255.255.0

  dmz_nat0_inbound list of ip host 192.168.20.1 telecommuter host allowed extended access

  access extensive list ip 192.168.21.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

  access extensive list ip 192.168.22.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

  access extensive list ip 192.168.23.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

  access extensive list ip 192.168.24.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

  inside_pnat_outbound_AVON to access extended list ip 192.168.32.0 allow 255.255.240.0 everything

  access extensive list ip 192.168.48.0 inside_pnat_outbound_AVON allow 255.255.248.0 all

  access extensive list ip 192.168.56.0 inside_pnat_outbound_AVON allow 255.255.252.0 all

  access extensive list ip 192.168.60.0 inside_pnat_outbound_AVON allow 255.255.255.0 any

  allow any scope to an entire ip access list

  inside_nat_AVON_Marshall list extended access permit ip host Mail_Inside_AVON all

  dmz_pnat1_outbound list of ip telecommuter host allowed extended access any

  outside_1_cryptomap to access extended list ip 192.168.3.0 allow 255.255.255.0 192.168.72.0 255.255.255.0

  pager lines 24

  Enable logging

  asdm of logging of information

  logging e-mail notifications

  uk address record

  exploitation forest-address recipient [email protected] / * / critical level

  Outside 1500 MTU

  Within 1500 MTU

  MTU 1500 dmz

  management of MTU 1500

  IP local pool vpnpool 172.31.1.1 - 172.31.1.254 mask 255.255.255.0

  no failover

  ICMP unreachable rate-limit 1 burst-size 1

  ICMP allow any inside

  ICMP allow no dmz echo

  ICMP allow all dmz

  ASDM image disk0: / asdm-625 - 53.bin

  ASDM location SVR-01 255.255.255.255 inside

  ASDM location svr-02 255.255.255.255 inside

  ASDM location IRONPORT1 255.255.255.255 dmz

  ASDM location 194.81.55.226 255.255.255.255 dmz

  ASDM 255.255.255.255 inside server location

  ASDM location CITRIX-device 255.255.255.255 dmz

  ASDM group ExternalAccess inside

  ASDM group dmz ExternalAccessFromDMZ

  don't allow no asdm history

  ARP timeout 14400

  Global x.x.x.121 2 (outdoor)

  Global 1 x.x.x.125 (outside)

  Global Mail_Outside_AVON 3 (outside)

  Global Mail_Outside_AGH 4 (outside)

  Global teleworker_outside 5 (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 2-list of access inside_pnat_outbound_AVON

  NAT (inside) 3 access-list inside_nat_AVON_Marshall

  NAT (inside) 1 access-list inside_pnat_outbound

  NAT (dmz) 0-list of access dmz_nat0_inbound outside

  NAT (dmz) 4 access-list dmz_pnat_outbound

  NAT (dmz) 5 access-list dmz_pnat1_outbound

  static (inside, outside) tcp ssh Icritical ssh netmask 255.255.255.255 Icritical_Outside

  static (inside, outside) tcp https Mail_Outside_AGH Mail_Inside_AGH https netmask 255.255.255.255

  static (dmz, outside) tcp smtp smtp IRONPORT1 netmask 255.255.255.255 Mail_Outside_AGH

  static (inside, outside) tcp https Mail_Outside_AVON Exchange_Inside_AVON https netmask 255.255.255.255

  static (inside, outside) tcp smtp smtp Mail_Inside_AVON netmask 255.255.255.255 Mail_Outside_AVON

  static (inside, outside) udp snmp Icritical snmp netmask 255.255.255.255 Icritical_Outside

  static (dmz, outside) device-CITRIX-Citrix_Portal_outside netmask 255.255.255.255

  static (inside, outside) Mail_Outside_AVON Mail_Inside_AVON netmask 255.255.255.255

  static (dmz, external) teleworker_outside netmask 255.255.255.255 teleworker

  Access-group acl_outside in interface outside

  Access-group acl_dmz in dmz interface

  Route outside 0.0.0.0 0.0.0.0 X.X.X.254 1

  Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  Enable http server

  oner http 255.255.255.255 inside

  http 192.168.1.0 255.255.255.0 management

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  card crypto outside_map 1 match address outside_1_cryptomap

  card crypto outside_map 1 set pfs Group1

  card crypto outside_map 1 set r.r.r.244 counterpart

  card crypto outside_map 1 set of transformation-ESP-3DES-SHA

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  crypto ISAKMP allow outside

  crypto ISAKMP policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  Telnet timeout 5

  SSH x.x.x.x 255.255.255.255 outside

  SSH Mail_Inside_AGH 255.255.255.255 inside

  SSH timeout 5

  Console timeout 0

  management of 192.168.1.2 - dhcpd address 192.168.1.254

  enable dhcpd management

  !

  a basic threat threat detection

  statistical threat detection port

  Statistical threat detection Protocol

  Statistics-list of access threat detection

  a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200

  prefer NTP server SVR - DC1 source inside

  internal VPN group policy

  attributes of VPN group policy

  value 192.168.x.x 192.168.x.x WINS server

  Server DNS value 192.168.x.x 192.168.x.x

  enable IPSec-udp

  value by default domain-ACE

  username, password pmmPwcDD/inpnNfB VPN encrypted privilege 0

  attributes of VPN username

  Strategy-Group-VPN VPN

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address vpnpool pool

  Group Policy - by default-VPN

  Group-tunnel VPN ipsec-attributes

  pre-shared key *.

  tunnel-group r.r.r.244 type ipsec-l2l

  r.r.r.244 tunnel ipsec-attributes group

  pre-shared key *.

  by default-group r.r.r.244 tunnel-Group-map

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns migrated_dns_map_1

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the migrated_dns_map_1 dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the netbios

  inspect the tftp

  inspect the sip

  !

  global service-policy global_policy

  context of prompt hostname

  Cryptochecksum:8360816431357f109b3c4b950d545c86

  : end

  This route is duplicated with the remote network

  Route inside 192.168.0.0 255.255.0.0 192.168.3.3 1

  I suggest to make this more specific subnet or add something like

  Route outside 192.168.72.0 255.255.255.0 outside_default_gateway_ip

  Internal, if above not in fact help, put a trace packet to simulate traffic even that fails on the 5510.

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/p.html#wp1878788

  Kind regards

• One-way traffic DMVPN

  setting up the first star in a mesh network. VPN connects very well and there is a part of the traffic above him, however it looks like anything to get wrapped. I see eigrp and PNDH, try to go forward and backward, but neither made with great success. Any ideas where to look?

  E - townInternet #show cry ipsec his

  Interface: Tunnel0
  Tag crypto map: addr Tunnel0-head-0, local 67.235.62.74

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (xx/255.255.255.255/47/0)
  current_peer xx port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 1646, #pkts decrypt: 1646, #pkts check: 1646
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : xx, remote Start crypto. : xx
  Path mtu 1500, ip mtu 1500
  current outbound SPI: 0x1DAF1EB4 (498015924)

  SAS of the esp on arrival:
  SPI: 0x3E489DA4 (1044946340)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 3003, flow_id: FPGA:3, crypto card: head-Tunnel0-0
  calendar of his: service life remaining (k/s) key: (4585669/53)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x1DAF1EB4 (498015924)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 3005, flow_id: FPGA:5, crypto card: head-Tunnel0-0
  calendar of his: service life remaining (k/s) key: (4585672/53)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  E - townInternet #.

  Neil,

  EIGRP retry limit is used when no complete PNDH was built.

  You mean interface tunnel itself beat (going up/down)?

  Marcin

• How to set up a one-way IPSec-L2L tunnel

  This may be a silly question, since VPN for communications between the parties of confidence and that most people would try to correct a unidirectional tunnel.

  But I'm interested to transform a regular one-way only, tunnel that traffic to my side can initiate the tunnel.

  Recently, we built this tunnel between our ASA5510 and ASA5510 of our biz partner to run critical applications on their web servers not connected to the Internet. I want to tie down so that they cannot launch the VPN. I have the crypto ACL set to limit to a port address, so they can only come from this port once the tunnel is established. We also have a personal firewall installed on each host.

  Any idea on how to make the one-way tunnel and protect also us better once the tunnel is mounted?

  Hello

  You can use the following command:

  defined card crypto seq - num connection-type name {only answer | only | two-way}

  This command defines whether the tunnel is come only or single answer. If you set the tunnel on your side to come alone, the asa will never accept the installation of tunnel from your business partner. However, you can still start the configuration of the vpn tunnel.

  Check:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa80/command/reference/C5.html#wp2152576

  Even if the reference is to ASA8.0 I know it works for 7.2.x so

  Hope this helps

  Kind regards

  Pieter-Jan

• Traffic permitted only one-way for VPN-connected computers

  Hello

  I currently have an ASA 5505.  I put up as a remote SSL VPN access. My computers can connect to the VPN very well.  They just cannot access the internal network (192.168.250.0).  They cannot ping the inside interface of the ASA, nor any of the machines.  It seems that all traffic is blocked for them.  The strange thing is that when someone is connected to the VPN, I can ping this ASA VPN connection machine and other machines inside the LAN.  It seems that the traffic allows only one way.  I messed up with ACL with nothing doesn't.  Any suggestions please?

  Pool DHCP-192.168.250.20 - 50--> for LAN

  Pool VPN: 192.168.250.100 and 192.168.250.101

  Outside interface to get the modem DHCP

  The inside interface: 192.168.1.1

  Courses Running Config:

  : Saved

  :

  ASA Version 8.2 (5)

  !

  hostname HardmanASA

  activate the password # encrypted

  passwd # encrypted

  names of

  !

  interface Ethernet0/0

  switchport access vlan 20

  !

  interface Ethernet0/1

  switchport access vlan 10

  !

  interface Ethernet0/2

  switchport access vlan 10

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  switchport access vlan 10

  !

  interface Vlan1

  No nameif

  no level of security

  no ip address

  !

  interface Vlan10

  nameif inside

  security-level 100

  IP 192.168.250.1 255.255.255.0

  !

  interface Vlan20

  nameif outside

  security-level 0

  IP address dhcp setroute

  !

  passive FTP mode

  DNS lookup field inside

  DNS domain-lookup outside

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  mask 192.168.250.100 - 192.168.250.101 255.255.255.0 IP local pool VPN_Pool

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  Global interface 10 (external)

  NAT (inside) 10 192.168.250.0 255.255.255.0

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication

  Enable http server

  http 192.168.250.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH 192.168.250.0 255.255.255.0 inside

  SSH timeout 5

  SSH version 2

  Console timeout 0

  dhcpd dns 8.8.8.8

  !

  dhcpd address 192.168.250.20 - 192.168.250.50 inside

  dhcpd allow inside

  !

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  WebVPN

  allow outside

  SVC disk0:/anyconnect-win-2.5.2014-k9.pkg 1 image

  SVC disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 image

  Picture disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 SVC

  enable SVC

  tunnel-group-list activate

  attributes of Group Policy DfltGrpPolicy

  value of server DNS 8.8.8.8

  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn

  tunnel-group AnyConnect type remote access

  tunnel-group AnyConnect General attributes

  address pool VPN_Pool

  tunnel-group AnyConnect webvpn-attributes

  enable AnyConnect group-alias

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  call-home

  Profile of CiscoTAC-1

  no active account

  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

  email address of destination [email protected] / * /

  destination-mode http transport

  Subscribe to alert-group diagnosis

  Subscribe to alert-group environment

  Subscribe to alert-group monthly periodic inventory

  monthly periodicals to subscribe to alert-group configuration

  daily periodic subscribe to alert-group telemetry

  Cryptochecksum:30fadff4b400e42e73e17167828e046f

  : end

  Hello

  No worries

  As we change the config I would do as well as possible.

  First, it is strongly recommended to use a different range of IP addresses for VPN clients and the internal network

  No VPN_Pool 192.168.250.100 - 192.168.250.101 255.255.255.0 ip local pool mask

  mask 192.168.251.100 - 192.168.251.101 255.255.255.0 IP local pool VPN_Pool

  NAT_0 ip 192.168.250.0 access list allow 255.255.255.0 192.168.251.0 255.255.255.0

  NAT (inside) 0-list of access NAT_0

  Then give it a try and it work note this post hehe

• Troubleshooting IPSec Site to Site VPN between ASA and 1841

  Hi all

  in the past I've implemented several VPN connections between the devices of the SAA. So I thought a site link between an ASA site and 1841 would be easier... But it seems I was mistaken.

  I configured a VPN Site to Site, as it has been described in the Document ID: SDM 110198: IPsec Site to Site VPN between ASA/PIX and an example of IOS Router Configuration (I have not used SDM but CCP).

  I have run the wizards on the ASA with ASDM and the current IOS version 15.1 1841, with CCP.

  It seems to Phase 1 and 2 are coming although my ASA in ADSM reports (monitoring > VPN > VPN statistics > Sessions) a tunnel established with some of the Tx traffic but 0 Rx traffic),

  On the ASA:

  Output of the command: "sh crypto ipsec its peer 217.xx.yy.zz.

  address of the peers: 217.86.154.120
  Crypto map tag: VPN-OUTSIDE, seq num: 2, local addr: 62.aa.bb.cc

  access extensive list ip 192.168.37.0 outside_2_cryptomap_1 allow 255.255.255.0 172.20.2.0 255.255.255.0
  local ident (addr, mask, prot, port): (LAN-A/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (LAN-G/255.255.255.0/0/0)
  current_peer: 217.xx.yy.zz

  #pkts program: 400, #pkts encrypt: 400, #pkts digest: 400
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 400, comp #pkts failed: 0, #pkts Dang failed: 0
  success #frag before: 0, failures before #frag: 0, #fragments created: 0
  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 62.aa.bb.cc, remote Start crypto. : 217.xx.yy.zz

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: 39135054
  current inbound SPI: B2E9E500

  SAS of the esp on arrival:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4374000/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001
  outgoing esp sas:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac no compression
  running parameters = {L2L, Tunnel, PFS 2 group}
  slot: 0, id_conn: 100327424, crypto-map: VPN-OUTSIDE
  calendar of his: service life remaining (KB/s) key: (4373976/1598)
  Size IV: 8 bytes
  support for replay detection: Y
  Anti-replay bitmap:
  0x00000000 0x00000001

  Output of the command: "sh crypto isakmp his."

  HIS active: 4
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 4

  IKE Peer: 217.xx.yy.zz
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  On the 1841

  1841 crypto isakmp #sh its
  IPv4 Crypto ISAKMP Security Association
  DST CBC conn-State id
  217.86.154.120 62.153.156.163 QM_IDLE 1002 ACTIVE

  1841 crypto ipsec #sh its

  Interface: Dialer1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1
  Tag crypto map: SDM_CMAP_1, local addr 217.86.154.120

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.20.2.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (192.168.37.0/255.255.255.0/0/0)
  current_peer 62.153.156.163 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 585, #pkts decrypt: 585, #pkts check: 585
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 217.86.154.120, remote Start crypto. : 62.153.156.163
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer1
  current outbound SPI: 0xB2E9E500 (3001672960)
  PFS (Y/N): Y, Diffie-Hellman group: group2

  SAS of the esp on arrival:
  SPI: 0 x 39135054 (957567060)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: FPGA:3, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505068/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xB2E9E500 (3001672960)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: FPGA:4, sibling_flags 80000046, card crypto: SDM_CMAP_1
  calendar of his: service life remaining (k/s) key: (4505118/1306)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  It seems that the routing on the 1841 is working properly as I can tear down the tunnel and relaunch in scathing a host on the network of 1841, but not vice versa.

  Trounleshoot VPN of the 1841 report shows a message like "the following sources are forwarded through the interface card crypto.      (172.20.2.0 1) go to "Configure-> routing" and correct the routing table.

  I have not found an error on the 1841 config so if one of the guys reading this thread has an idea I appreciate highly suspicion!

  It's the running of the 1841 configuration

  !
  version 15.1
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  host name 1841
  !
  boot-start-marker
  start the system flash c1841-adventerprisek9 - mz.151 - 1.T.bin
  boot-end-marker
  !
  logging buffered 51200 notifications
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  !
  AAA - the id of the joint session
  !
  iomem 20 memory size
  clock timezone PCTime 1
  PCTime of summer time clock day March 30, 2003 02:00 October 26, 2003 03:00
  dot11 syslog
  IP source-route
  !
  No dhcp use connected vrf ip
  !
  IP cef
  no ip bootp Server
  IP domain name test
  name of the IP-server 194.25.2.129
  name of the IP-server 194.25.2.130
  name of the IP-server 194.25.2.131
  name of the IP-server 194.25.2.132
  name of the IP-server 194.25.2.133
  No ipv6 cef
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  object-group network phone
  VoIP phone description
  Home 172.20.2.50
  Home 172.20.2.51
  !
  redundancy
  !
  !
  controller LAN 0/0/0
  atm mode
  Annex symmetrical shdsl DSL-mode B
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  isakmp encryption key * address 62.aa.bb.cc
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  map SDM_CMAP_1 1 ipsec-isakmp crypto
  Description Tunnel to62.aa.bb.cc
  the value of 62.aa.bb.cc peer
  game of transformation-ESP-3DES-SHA
  PFS group2 Set
  match address 100
  !
  !
  !
  interface FastEthernet0/0
  DMZ description $ FW_OUTSIDE$
  10.10.10.254 IP address 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/1
  Description $ETH - LAN$ $FW_INSIDE$
  IP 172.20.2.254 255.255.255.0
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  IP tcp adjust-mss 1412
  automatic duplex
  automatic speed
  !
  ATM0/0/0 interface
  no ip address
  No atm ilmi-keepalive
  !
  point-to-point interface ATM0/0/0.1
  PVC 1/32
  PPPoE-client dial-pool-number 1
  !
  !
  interface Dialer1
  Description $FW_OUTSIDE$
  the negotiated IP address
  IP mtu 1452
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  Dialer pool 1
  Dialer-Group 2
  PPP authentication chap callin pap
  PPP chap hostname xxxxxxx
  PPP chap password 7 xxxxxxx8
  PPP pap sent-name of user password xxxxxxx xxxxxxx 7
  map SDM_CMAP_1 crypto
  !
  IP forward-Protocol ND
  IP http server
  local IP http authentication
  IP http secure server
  !
  !
  The dns server IP
  IP nat inside source static tcp 10.10.10.1 808 interface Dialer1 80
  IP nat inside source static tcp 10.10.10.1 25 25 Dialer1 interface
  IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
  IP nat inside source overload map route SDM_RMAP_2 interface Dialer1
  IP route 0.0.0.0 0.0.0.0 Dialer1 permanent
  !
  logging trap notifications
  Note category of access list 1 = 2 CCP_ACL
  access-list 1 permit 172.20.2.0 0.0.0.255
  Note access-list category 2 CCP_ACL = 2
  access-list 2 allow 10.10.10.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  Note access-list 100 IPSec rule
  access-list 100 permit ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  Note CCP_ACL the access list 101 = 2 category
  Note access-list 101 IPSec rule
  access-list 101 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 101 permit ip 172.20.2.0 0.0.0.255 any
  Note access-list 102 CCP_ACL category = 2
  Note access-list 102 IPSec rule
  access-list 102 deny ip 172.20.2.0 0.0.0.255 192.168.37.0 0.0.0.255
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  !

  !
  allowed SDM_RMAP_1 1 route map
  corresponds to the IP 101
  !
  allowed SDM_RMAP_2 1 route map
  corresponds to the IP 102
  !
  !
  control plan
  !
  !
  Line con 0
  line to 0
  line vty 0 4
  length 0
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  NTP-Calendar Update
  NTP 172.20.2.250 Server prefer
  end

  As I mentioned previously: suspicion is much appreciated!

  Best regards

  Joerg

  Joerg,

  ASA receives not all VPN packages because IOS does not send anything.

  Try to send packets to the 1841 LAN to LAN of the ASA and see is the "sh cry ips its" on the 1841 increments the encrypted packets (there not)

  The problem seems so on the side of the router.

  I think that is a routing problem, but you only have one default gateway (no other channels on the router).

  The ACL 100 is set to encrypt the traffic between the two subnets.

  It seems that the ACL 101 is also bypassing NAT for VPN traffic.

  Follow these steps:

  Try running traffic of LAN router inside IP (source of ping 192.168.37.x 172.20.2.254) and see if the packages are not through the translation and obtaining encrypted.

  I would also like to delete 100 ACL from the inside interface on the router because it is used for the VPN. You can create an another ACL to apply to the interface.

  Federico.

• Troubleshoot ipsec?

  We have an established ispec tunnel but it's not the traffic that goes. I see only my end and everything seems in good condition.

  When I run a 'sh crypto ipsec his counterpart x.x.x.x"I can see that the encapsulated packets get but none become décapsulés.

  Tracer package running watch also my traffic is allowed.

  How can I know for certain that the issue is at the other end of the tunnel?

  Hi Louis,.

  If you see that your end is encapsulating packets from your end... then coming to tunnel and out with encapsulated... other peripheral end FW/VPN should receive it and décapsulent the same to send traffic to the destination... it's to go on traffic... the return package or the response packet will wrap again and send it to us , which will get opens and the applicant...

  Here, you need to check on the other end of the firewall and see if it gets décapsulés and encapsulated in this way... that you may need to check the delivery for remote lan to the remote peer, NAT and ipsec rules policies matches, etc...

  run a debug crypto ipsec 128 on your side to see if that gives a...

  If you do all these step by step... no doubt, you can sort the question...

  Concerning

  Knockaert

• One way or another on my email print size has decreased to the point I can hardly read it.

  One way or another on my email print size has decreased to the point I can hardly read it.  Can any of you tell me please what keys hold and scroll to get the largest print size. Thank you very much.

  original title: Email printing size

  Sorry, but being the Webmail of Yahoo leaves me without a clue. Maybe Internet Explorer forum or Yahoo support might be more useful.

  Internet Explorer forums
  http://answers.Microsoft.com/en-us/IE

  Yahoo help
  http://help.Yahoo.com/l/us/Yahoo/helpcentral/

• One-way video problem

  Hello

  We have two expressways and we have received a report of a company, call one of our sites had issues with one-way video. The appellant could not see the person they had composed, but they could see the appellant. Audio was OK. They were ordered to place a new call through our other expressway and all audio and video works just fine. So, I'm trying to understand if there is a difference between highways and why this happens. They run every two X8.1.1. The strange thing is that we only received from an enterprise report then having this problem through this "faulty" highway is us or them? Apparently, they do not have problems with one another that they make calls...

  Looks like maybe it's time to collect newspapers... but everyone else encountered this? No I well confused everyone :)

  Thank you!

  In general I really wouldn't expect things to need to a few reboots to register.

  Well sure a typical tech & response of the TAC will be "upgrading to the last" which I also recommended,.

  but your symptoms still its a bit sketchy.

  Its a good start to check if your firewall/network/dns /... are ok as well. A lot of questions

  are hidden there. It is difficult to see the full extend of here.

  Please get some internal or as a good Cisco partner or network resources.

  And Yes, look in the upgrade to CUCM!

  But the network / the environment should still be ok for that as well :-)

  Please note the messages with the stars below and define the thread if it is a response.

• Is there one way other than to_char to get the month of the date field

  Is there one way other than to_char to get the month of the date field

  Hello

  raj4tech wrote:

  Is there one way other than to_char to get the month of the date field

  EXTRACT is one:

  SELECT INTERESTED (SYSDATE MONTHS) AS curr_month

  DOUBLE;

• Is it only a one-way sync?

  It does not appear the changes I do either Illustrator or Indesign gets returned to the application?  It would be really great.  Maybe I'm not saving correctly?  In any case, looks very promising!

  J.

  It is one-way. The application of the model is to make a model, a "global," sketching a layout.

  The file is sent to InDesign/Illustrator/Photoshop for the realization of the project.

  He actually quite brilliantly designed and implemented, especially for a 1.0 release.

• In the bpel process one-way transaction management

  Hello
  
  I created a one-way bpel process with oneWayDeliveryPolicy property - property Sync and transaction - required. When I exposed this service as a SOAP service, I see well The Participation of Transaction in the Web Service adapter in the way of exposed Services configured as EVER. Is this to say that BPELCallee would not participate in the same transaction as the appellant BPEL?
  
  Aditya

  Hello

  Properties refer to the support of different transactions "contexts", as you can see in the documents below. The bpel.config.transaction refers to the semantics of Transaction BPEL Process Manager, while the 'Participation of the operation' refers to WS-AT , which provides interoperability of transaction between Oracle WebLogic Server and transaction of other providers services... I've never tested it myself, but I guess that if you process BPEL transactions, the bpel.config.transaction will prevail...

  http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/soa_transactions.htm#CHDEHCFE
  http://docs.Oracle.com/CD/E23943_01/dev.1111/e10224/sca_bindingcomps.htm#SOASE86071

  See you soon,.
  Vlad

• Configuration very base one-way Golden Gate

  Version of DB: Oracle 11.2.0.3
  Golden Gate version: 11.2 (last one dated September 22, 2012)
  Platform: Solaris x 86 64-bit
  
  Currently learning Golden Gate by googling and I'll install Golden Gate for the first time.
  That's what I'm planning.

  Source DB : fncdev
  Target DB : sgntgt
  What needs to be replicated : SCOTT and HR schemas from source has to be replicated to Target ( Unidirectional )

  I intend to set up a very basic one-way GG, where in SCOTT and HR in source DB schemas is replicated in the target DB.
  
  I would like to know 2 things.
  
  1. what should be the content of the parameter file?
  
  2. after have I properly configure GG, what would be the output of command all THE INFO in the source and target database

  -- Source database
  GGSCI > info all
  
  -- Target database
  GGSCI > info all

  Basic extract and replicat content parameter of the file.

  Extract E_TEST1
  SETENV (ORACLE_SID = OGGTEST)

  GGADMIN username password *.
  Exttrail/goldengate/gg_trail/trail/test/and

  -Add below lines only if DDL replication is configured.
  -The DOF ARE MAPPED
  DDLOPTIONS - ADDTRANDATA, REPORT

  TABLE HR.*;
  TABLE SCOTT.*;
  -------------------------------------------------------------------------------------------------

  REPLICAT R_TEST1
  SETENV (ORACLE_SID = OGGTEST)

  GGADMIN username password *.
  ASSUMETARGETDEFS

  DISCARDFILE oragg/11.1/dirrpt/R_TEST1.dsc, APPEND, 1024 MEGABYTES

  MAP HR.*, TARGET HR.*;
  MAP SCOTT.*, TARGET SCOTT.*;

  I hope that these samples help!

  Kind regards
  RB